Splunk Search

Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED___default-autolb-group_10

roderick001
Explorer

Hi, I have this error message and it is stopping any data being shown in data summary, I can't add any data as .zip or .csv.

I see real-time win logs being pumped in but can't actually add data manually.

I am forwarding data to localhost and receiving on port 9997, since I changed forwarding and receiving I have had this error message.

Are there default forwarding and receiving ports? 

Will a re-install of Splunk Enterprise web interface give me back default settings so I can manually add data again.

 I can get data in Lookups but I really need to be able to add data manually.

 Thanks for any help.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

That you report successfully getting Windows logs into Splunk means the connection is working.

How exactly are you trying to manually add data?

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

roderick001
Explorer

Hi @richgalloway , I am adding data from the 'add data' button, using \\(.*)\/ as 'regular expression on path'.

but data summary is not showing the data. 

I have got the file loaded successfully and go onto search it

source="edgarlog3.zip:*" 

but nothing is visible, the data must be sitting somewhere, but I cannot access it.

I'm also getting in web_ping data, but I really need to push some files manually into Splunk.

Thanks for your help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So you're trying to ingest \\*?  As in every host on your network?  I expect the performance of that to be bad.

Can you put a UF on each host, instead?

---
If this reply helps you, Karma would be appreciated.
0 Karma

roderick001
Explorer

@richgalloway 

Yes, I want to use events to analyse my csv file, but cannot see the data,

I'm running Splunk Enterprise free,  so I can't use UF's. So you see i need manual upload to work.

I have files previously loaded successfully,  but cannot now upload new ones,

I have some large csv files to analyse with a manual upload.

I don't understand why it tells me file uploaded successfully but I cannot see it anywhere on my Splunk UI.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's possible the UI said the upload was successful when it really wasn't.  Have you checked splunkd.log?

Have you verified you're looking for the data in the right place and time?  Verify the index and source names as well as the time window.  Use earliest=0 latest=+1y in case the timestamps got messed up.

---
If this reply helps you, Karma would be appreciated.
0 Karma

roderick001
Explorer

Hi @richgalloway 

Ok, yes, it might be not loading successfully even though it says it is...

...I will take a look, and get back to you, thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...